Adobe's 2020 deadline for the death of Flash can't arrive soon enough. A previously unseen form of ransomware has spread through eastern Europe.

The new strain of ransomware, dubbed Bad Rabbit, was first spotted on October 24. To date, the systems attacked have mostly been confined to Russia and Ukraine. The ransomware is the third major spread of malware this year: it follows the wider-reaching WannaCry and NotPetya strains of malicious code. Here's what we know about Bad Rabbit so far.

Advertisement

What is ransomware and how can you avoid it?

So what is Bad Rabbit?

The Bad Rabbit ransomware spreads through "drive-by attacks" where insecure websites are compromised. "While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure," according to analysis by Kaspersky Labs.

Read next

In this instance, the malware is disguised as an Adobe Flash installer. When the innocent-looking file is opened it starts locking the infected computer. The Flash download has been installed in websites using JavaScript injected into the HTML or Java files of the affected websites. The malware isn't installed automatically, which means it has to be clicked on to work.

If a person does click on the malicious installer – and given the number of Flash updates issued this is highly probable – their computer locks. The ransom note and payment page demands around $280 in Bitcoin and gives a 40-hour deadline for payments to be made. The DiskCryptor software is bing used to encrypt hard-drives.

Advertisement

Who has it been hitting?

Unlike WannaCry and NotPetya, Bad Rabbit hasn't spread widely. The majority of incidents have been recorded in Russia and Ukraine. According to security company Eset, which published a blog post on Bad Rabbit, there are a number of Russian domains (.ru) that have been affected. Kaspersky adds that "all" of the compromised websites it has seen have been news or media outlets.

"Most of the targets are located in Russia," Kaspersky says. "Similar but fewer attacks have also been seen in other countries – Ukraine, Turkey and Germany. Overall, there are almost 200 targets, according to the KSN statistics". These have included the Kiev Metro, Odessa airport. In response the Ukrainian national computer emergency team issued a warning about Bad Rabbit.

So far there haven't been any attacks seen in the UK. The National Cyber Security Centre says it is aware of Bad Rabbit and it is monitoring the situation. It recommends that all security updates for software are installed.

Where's it coming from?

Advertisement

The ransomware exploits the Server Message Block (SMB), which was also seen in NotPetya. Analysis by Malwarebytes concluded that Bad Rabbit is "probably prepared by the same authors" as NotPetya.

While Bad Rabbit doesn't appear to include the Eternal Blue Windows exploit that was stolen from the NSA and used in NotPetya and WannaCry, it does use one of the agency's security flaws. Further research from Cisco's Talos found Bad Rabbit exploited SMB through the NSA's EternalRomance exploit.

"We identified the usage of the EternalRomance exploit to propagate in the network," Talos said in a blog post. "This exploit takes advantage of a vulnerability described in the Microsoft MS17-010 security bulletin."